The Virginia legislature has introduced several bills that would amend Virginia’s Consumer Data Protection Act (“CDPA”) that was enacted last year. These bills are largely in response to the November 1, 2021 Virginia Consumer Data Protection Act Work Group report (the “Report”), which outlined 17 “points of emphasis” related to the CDPA. The Report includes recommendations regarding administrative items, permitting the Attorney General to seek actual damages based on consumer harm, implementing a right (that would sunset) to cure violations of the CDPA, amending the right to delete, amending the definition of sensitive data, implementing global privacy control, and providing resources to consumers and small business, among other topics.

The following is a high-level summary of the relationship between the introduced bills and the Report:

I.     HB 381 and SB 393

In the Report, the work group specifically called for the “right to delete” provision in the CDPA to be a “right to opt out of sale” as well. This change is meant to address the scenario where the benefit of deleting data may be undone if there is indirect collection at a later date. These bills would permit a business to satisfy a consumer’s request to delete by opting the consumer out of processing of their data for targeting advertising, sale, or profiling. Note that the opt out in HB 381 is more broad and would opt the consumer out of processing for any purpose (with certain exceptions).

II.     HB 714 and SB 534

The work group also outlined that there is a need to employ an “ability to cure” option for violations, should a potential cure exist, as well as permitting the Office of the Attorney General to pursue actual damages based on consumer harm.

Accordingly, these bills add a 30-day cure period that would only apply to violations that the Attorney General deems curable. Additionally, these bills would allow the Attorney General to seek actual damages in addition to existing remedies (injunctive relief and statutory damages of $7,500.00 per violation).

III.     HB 1259

The Report also mentioned the need to consider whether the definition of “sensitive data” should exclude general demographic data used to promote diversity and outreach to underserved populations.

This bill proposes to address this by removing consent requirements for processing sensitive data when such processing involves “racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status” if the data is used solely for marketing, advertising, fundraising, or similar outreach, communications or information sharing that does not result in decisions that could produce legal or similarly significant effects concerning the consumer.

Virginia is not the only state working to change its existing privacy framework. Colorado’s Office of the Attorney General will begin rulemaking activities shortly and the California Privacy Protection Agency recently held a public meeting to discuss updates to its rulemaking process. More details available on CPW’s blog covering these announcements.

Updates: California Privacy Rights Act (“CPRA”)

Last month, we reported on the California Privacy Protection Agency’s (“CPPA”) engagement of an Executive Director and its proposal for a rulemaking framework. The CPPA’s efforts are assisted by provisions of Assembly Bill 694 (“AB 694”), which California Governor Gavin Newsom signed last month. AB694 includes changes to California’s consumer privacy law and clarifies the CPPA’s rulemaking process. You can find the changes here. Continue Reading CPRA Amended and Updates Regarding the CDPA

As Ann LaFrance, Alan Friel, Elliot Golding, Kyle Fath, Glenn Brown, Kyle Dull, Niloufar Massachi, and Gicel Tomimbang explain in a comprehensive expert analysis, recent changes in US consumer privacy laws that will require most US businesses to make material changes to their privacy compliance and information governance programs by January 1, 2023 (July 1, 2023, in the case of Colorado), and include infographics that compare and contrast the applicable laws.  Besides discussing these changes, they make recommendations on what to do during the remainder of 2021 and throughout 2022 to ensure business readiness by 2023.

You can read their breakdown here or below.

CPRA/CDPA/CPA Unpacked: Develop a Preparedness Plan Now

In a must-read, CPW’s Glenn Brown provides a detailed breakdown of the Virginia Consumer Data Protection Act (the “CDPA”) and how it stacks up relative to the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act (“CPRA”), which amends and will essentially replace the CCPA on 1 January 2023, and the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).  Check out his article available at One Trust’s Data Guidance.

Just this week Virginia joined California as being one of the few states where consumers have a “right to delete” under applicable state privacy laws.  This loosely follows the approach in the EU General Data Protection Regulation (“GDPR”) that also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.  State approaches to consumers’ “right to delete” are not uniform, however, which makes understanding the nuance in the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”) all the more important.

CPW’s Glenn Brown has prepared a detailed analysis that is a must-read in light of the VCDPA’s passage that compares the “right to delete” under the CCPA, CPRA and VCDPA.  As he explains, the CCPA, CPRA and VCDPA each provide that a consumer has the right to request that a business delete their personal information, but they differ in certain respects, including their scope. The CCPA provides that consumers “… have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”  (emphasis added).  Notably, the CPRA does not amend the wording of this right.  By comparison, the VCDPA provides that consumers “… have the right to delete personal data provided by or obtained about the consumer.”  (emphasis added).  The VCDPA’s deletion right is therefore broader than that provided by the CCPA and CPRA, in that it applies to personal information that a business has collected from a consumer or that the business has collected about a consumer from another source.

Glenn provides a fantastic breakdown discussing the relevant exceptions to the “right to delete” under each of these laws, including a chart describing the various uses of personal information that will allow a business to retain the relevant personal information subject to these laws, even when a consumer has requested the business to delete it.

*The CCPA and CPRA provide that the exception is available only if: (a) deletion of the information is likely to render impossible or seriously impair the ability to complete such research; and (b) the consumer has provided informed consent.

**The VCDPA requires that the research be approved, monitored, and governed by an institutional review board, or similar independent oversight entities, that determine whether: (i) the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; (ii) the expected benefits of the research outweigh the privacy risks; and (iii) the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

The CPRA also requires that such uses be compatible with the context in which the consumer provided the information in order to qualify for the exception.

Be sure to check out Glenn‘s complete analysis here.

The Interactive Advertising Bureau (IAB) and IAB Tech Lab have proposed updates their industry level agreements and privacy signal program to support the efforts of marketers, agencies, publishers, and ad tech companies to comply with the US state privacy laws going into effect in 2023. The comment period on the updates is open until October 27. Continue Reading Ad Industry Group Modifies Its Compliance Program to Address 2023 US State Privacy Laws

This blog post is a bonus supplement to our quarterly Artificial Intelligence and Biometric Privacy Quarterly Review Newsletter. Be on the lookout for our Q3 Newsletter!

We are quickly approaching the Jan. 1, 2023 operative date of most of the provisions of the California Privacy Rights Act (“CPRA), which, as most of us know by now, substantially amends the CCPA. Under the CPRA, the California Privacy Protection Agency (“CPPA” or “Agency”) has a mandate to issue regulations on a number of specific topics. With just fewer than three months to go until January 1, regulations are not even close to being finalized.  The Agency released the first draft of proposed regulations on May 24, and the first public comment period ended on August 23. In a meeting held by the CPPA on Friday, September 23, the Agency gave no concrete sense of timing or any comments on topics, such as those discussed in this post, for which regulations have not even been issued. This has left many businesses feeling left in the lurch, uncertain of what to do. Continue Reading Profiling and Automated Decision-Making: How to Prepare in the Absence of Draft CPRA Regulations

Connecticut is gearing up to be the next state with a comprehensive privacy law. On April 28, 2022, the Connecticut General Assembly passed SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” which is currently with the governor awaiting signature.  Of the state laws that have passed, SB 6 is most similar to the Colorado Privacy Act (“CPA”), Virginia Consumer Data Protection Act (“CDPA”), and Utah Consumer Privacy Act (“UCPA”). For example, under SB 6, the terms “controller,” “processor,” and “personal data” have similar definitions as under the CPA, CDPA, and UCPA. Continue Reading Connecticut General Assembly Passes Comprehensive Privacy Bill

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

JUST RELEASED: 2022 Q1 AI/Biometric Litigation Trends | Consumer Privacy World

Registration Open: March 30 Webinar on International Data Transfers | Consumer Privacy World

France Updates its Whistleblower Protection to Transpose the EU Whistleblower Directive | Consumer Privacy World

Federal Court Dismisses Litigation Challenging U.S. Postal Service’s Use of Facial Recognition and Related Technologies | Consumer Privacy World

United States and European Commission Announce Trans-Atlantic Data Privacy Framework: Setting the Scene for Schrems III? | Consumer Privacy World

California Attorney General Clarifies that Inferences are Personal Information | Consumer Privacy World

Registration OPEN: April 5 from 12-1 pm EST 2022 Developments and Trends Concerning Biometric Privacy and Artificial Intelligence | Consumer Privacy World

Top Five Takeaways for Businesses from the New CISA Cyber Reporting Act | Consumer Privacy World

Hello, Utah Consumer Privacy Act! | Consumer Privacy World

New UK IDTA and Addendum Come Into Force | Consumer Privacy World

FBI Warns U.S. Critical Infrastructure Subject to Reconnaissance for Cyberattacks | Consumer Privacy World

NIST Publishes AI Risk Management Framework and Updates on Bias in AI | Consumer Privacy World

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

CPW on the Speaking Circuit in March: Colin Jennings to Present on Cybersecurity and Ransomware | Consumer Privacy World

President Biden Calls upon Companies’ Patriotic Obligation to Prepare for Cyberattacks | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

California Attorney General Clarifies that Inferences are Personal Information | Consumer Privacy World

Registration OPEN: April 5 from 12-1 pm EST 2022 Developments and Trends Concerning Biometric Privacy and Artificial Intelligence | Consumer Privacy World

Top Five Takeaways for Businesses from the New CISA Cyber Reporting Act | Consumer Privacy World

Hello, Utah Consumer Privacy Act! | Consumer Privacy World

New UK IDTA and Addendum Come Into Force | Consumer Privacy World

FBI Warns U.S. Critical Infrastructure Subject to Reconnaissance for Cyberattacks | Consumer Privacy World

NIST Publishes AI Risk Management Framework and Updates on Bias in AI | Consumer Privacy World

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

CPW on the Speaking Circuit in March: Colin Jennings to Present on Cybersecurity and Ransomware | Consumer Privacy World

President Biden Calls upon Companies’ Patriotic Obligation to Prepare for Cyberattacks | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World